b"            OFFICE OF\n     THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n  THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n INFORMATION TECHNOLOGY MAINTENANCE\n        AND LOCAL AREA NETWORK\n         RELOCATION CONTRACT\n\n\n       May 2007      A-14-07-17022\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                           SOCIAL SECURITY\nMEMORANDUM\n\nDate:      May 21, 2007                                                           Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s Information Technology Maintenance and Local\n           Area Network Relocation Contract (A-14-07-17022)\n\n\n           OBJECTIVE\n\n           The objective of our review was to determine whether the Social Security Administration\n           (SSA) has adequate controls in place for the administration, oversight and\n           accountability of its contract for information technology maintenance and local area\n           network (LAN) relocation. 1\n\n           BACKGROUND\n\n           In July 2002, SSA awarded TFE Technology Holdings LLC (TFE) a performance-based\n           contract to maintain and relocate Government-owned LANs, also known as computer\n           networks, and associated peripheral 2 equipment. TFE was acquired by Diebold,\n           Incorporated in 2004 and the company's name changed to Diebold Information and\n           Security Systems LLC (Diebold-ISS) effective May 18, 2005. A typical SSA computer\n           network includes equipment such as workstations, LAN cabinets, file servers, bridges,\n           routers, switches, and printers with stands. LAN equipment is a critical part of SSA\xe2\x80\x99s\n           operating environment, and is used daily by SSA and Disability Determination Services\n           employees nationwide. A recent article in Government Computer News aptly stated:\n           \xe2\x80\x9cNetworks\xe2\x80\xa6form a critical part of the infrastructure of all agencies. Without a working\n           network, most agency activity would quickly grind to a complete halt.\xe2\x80\x9d 3\n\n\n\n           1\n               SSA Contract Number: 0600-02-60007.\n           2\n            Peripheral equipment is a computer device (such as a keyboard or printer), that is not part of the\n           essential computer, i.e., the memory and microprocessor. Some other examples of peripheral devices\n           are a mouse, compact disc read-only memory drive (commonly known as CD-ROM drive), monitor,\n           external zip drive, scanner and modem.\n           3\n            McCormick, John, \xe2\x80\x9cPlug and Play: Network appliances help ease major changes to the system,\xe2\x80\x9d\n           Government Computer News, (August 7, 2006), page 20.\n\x0cPage 2 - The Commissioner\n\nDiebold-ISS performs the following tasks under the contract:\n\n1. Task Orders, indefinite delivery and quantity orders, to repair and modify LANs,\n   install components, analyze networks, and provide advice about efficient network\n   usage. Diebold-ISS bills SSA based on fixed hourly rates.\n\n2. Relocation Services to deinstall, pack, ship and reinstall LANs; bring equipment\n   back up to working order; and dispose of packing material. Diebold-ISS bills SSA a\n   fixed price per call based on the number of components relocated.\n\n3. Maintenance services to repair and replace broken computer workstations and\n   peripherals. Diebold-ISS bills SSA a fixed price per call based on the equipment\n   type. In an effort to cut contract costs, SSA added drop shipment maintenance\n   repairs to the Statement of Work in February 2004. The drop shipment pricing\n   includes the cost of a component device, such as a mouse or a keyboard, and the\n   cost of overnight shipping. The equipment is replaced by the end-user or the\n   Agency\xe2\x80\x99s site LAN coordinator.\n\nThe contract term is 1 year beginning on September 1, 2002, with 4 1-year options to\nrenew. The fifth contract year began on October 1, 2006. The maximum contract\namount is $75 million. As of the end of our field work in October 2006, $51.8 million\nwas obligated under the contract. The SSA project officer in the Office of\nTelecommunications and Systems Operations (OTSO) and the SSA Contracting Officer\nin the Office of Acquisition and Grants (OAG) are authorized to place task\norders/delivery orders under the contract.\n\nRESULTS OF REVIEW\n\nSSA generally has adequate controls in place for the administration, oversight and\naccountability of its contract for information technology maintenance and LAN\nrelocation. Some of the controls are:\n   \xe2\x80\xa2   separation of duties between (1) procurement and contract administration,\n       (2) program oversight, (3) finance and accounting, and (4) contractor suitability\n       determination;\n\n   \xe2\x80\xa2   invoices must be certified before payment;\n\n   \xe2\x80\xa2   obligation transactions flow electronically from the procurement administration\n       system to the accounting system;\n\n   \xe2\x80\xa2   maintenance transactions are comprehensively tracked from the date the\n       problem is reported to SSA\xe2\x80\x99s Network Customer Service Centre to the date the\n       problem is resolved; and\n\x0cPage 3 - The Commissioner\n\n    \xe2\x80\xa2   maintenance invoices include the contract line item number and key information\n        regarding the services rendered.\n\nThere are areas of contract management that need to be addressed, including:\n\n    \xe2\x80\xa2   suitability determinations were not performed for all Diebold-ISS staff with access\n        to SSA buildings and equipment;\n    \xe2\x80\xa2   some paid invoices were not sufficiently supported;\n    \xe2\x80\xa2   information was not recorded in the accounting system to distinguish payments\n        made against specific order numbers;\n    \xe2\x80\xa2   internal control weakness existed in contract oversight; and\n    \xe2\x80\xa2   contractor\xe2\x80\x99s reports on the destruction of hard drives were not made as required.\n\nAt the end of our fieldwork, we shared our findings and recommendations with SSA\nemployees responsible for managing the contract. The Agency\xe2\x80\x99s contracting, program,\naccounting, and suitability offices have subsequently taken steps to address most of\nour findings.\n\nSUITABILITY DETERMINATIONS WERE NOT PERFORMED FOR ALL\nDIEBOLD-ISS STAFF WITH ACCESS TO SSA BUILDINGS AND EQUIPMENT\n\nA number of the Diebold-ISS employees and its subcontractor staff involved in office\nrelocations we reviewed 4 did not receive background checks and should not have been\nallowed to work on-site at an SSA facility or have access to Agency programmatic or\nsensitive information. As a result, SSA is exposing its sensitive data to possible\ncompromise.\n\nWe did a two-step review of the contractor\xe2\x80\x99s compliance with the Agency\xe2\x80\x99s Protective\nSecurity Clause 5 found in the Diebold-ISS contract. Through interviews and the review\nof SSA and Diebold-ISS documentation, we found that four Diebold-ISS staff working\nunder the contract did not receive a background check as required by the Protective\nSecurity Clause. One of the four nonapproved Diebold-ISS staff received SSA\xe2\x80\x99s\nreplaced computer hard drives for destruction. Additionally, a Diebold-ISS contract\nadministrator informed us that its staff no longer request suitability approvals for\nmovers. However, SSA\xe2\x80\x99s suitability office informed us that the suitability determination\nrequirement for the movers was not waived.\n\n4\n We reviewed documentation from relocations at SSA offices in Tampa-Carrollwood, Florida,\nOctober 2006; Ann Arbor, Michigan, October - November 2006; Freeport, New York, November 2006; and\nPomona, California, November 2006.\n5\n The purpose of the Protective Security Clause is to provide procedures for obtaining suitability\ndeterminations for contractor personnel who will be performing under the contract. \xe2\x80\x9cPerforming under the\ncontract\xe2\x80\x9d is defined as either working on-site at an SSA facility (including visiting the SSA site for any\nreason) or having access to agency programmatic or sensitive information.\n\x0cPage 4 - The Commissioner\n\nAs a result of the initial findings, we reviewed documentation from four Agency\nrelocations that took place in October and November 2006. According to Agency\nsuitability records, 4 of the 9 Diebold-ISS staff involved in the moves and all\n27 subcontractor staff did not receive background checks and should not have been\npermitted to work on-site at an SSA facility or have access to Agency programmatic or\nsensitive information.\n\nWe recommend SSA strengthen internal controls to ensure that contractor personnel\nperforming under contracts have obtained the appropriate background checks prior to\nbeginning work on a contract. Additionally, we expect that full implementation of\n                                                        6\nHomeland Security Presidential Directive 12 (HSPD-12) by SSA will help ensure that\nbackground checks are conducted on all contract employees working on contracts of\nthis nature. HSPD-12 requires that mandatory common identification standards for\nFederal employees and contractors be implemented to ensure that secure and reliable\nforms of identification are issued by the Federal Government to its employees and\ncontractors, including contractor employees.\n\nSOME INVOICES WERE NOT SUFFICIENTLY SUPPORTED\n\nWe selected a sample of Diebold-ISS task order, relocation and maintenance\ntransactions for testing (see Appendix B for the details of the sampling methodology).\nWe reviewed 340 of the 83,616 requests for services initiated over the first 4 contract\n      7\nyears. The table on page 5 reflects the results of our review:\n\nTask Orders\n\nWe reviewed 100 task orders and found that 63 were billed and paid according to the\nagreed-upon prices detailed in the contract and 2 were not. Additionally,\n32 transactions did not have enough support with the invoice to determine whether the\nservices were billed and paid according to agreed-upon prices. For task orders billed at\nfixed hourly rates, the vendor did not always indicate the number of hours for which\nSSA was being billed or the hourly rate charged. Three task orders were erroneously\npaid in excess of the amount certified by the program office. The overpaid amounts\nwere recovered in December 2005.\n\n\n\n\n6\n August 2004 Presidential Policy for a Common Identification Standard for Federal Employees and\nContractors.\n7\n  The first 4 contract years are as follows: Year 1-September 1, 2002 through August 31, 2003; Year 2-\nSeptember 1, 2003 through September 30, 2004; Year 3-October 1, 2004 through September 30, 2005;\nand Year 4-October 1, 2005 through September 30, 2006. For Year 4, we tested transactions processed\nthrough June 30, 2006.\n\x0cPage 5 - The Commissioner\n\nRelocation Orders\n\nWe reviewed 100 LAN relocation orders and found that 76 were billed and paid\naccording to agreed-upon prices detailed in the contract and 7 were not. Additionally,\n17 did not have enough support with the invoice to determine if the services were billed\nand paid according to agreed-upon prices. Additionally, the vendor did not always\nupdate the supporting documentation to reflect changes in the number of LAN\nequipment moved after the original purchase order was created. The original order is\ntypically prepared many months ahead of the scheduled move date. Without this\ninformation, it was difficult to accurately determine, by looking at the invoice and its\nsupport, whether the Agency was billed the correct amount.\n\nMaintenance\n\nWe reviewed 140 maintenance transactions. With the exception of one transaction, the\nbilled maintenance services were all billed and paid according to agreed-upon prices\ndetailed in the contract. Four requests for services were not billed by the vendor\nbecause they were either resolved by the user or the vendor reported the equipment\nwas not covered under the contract. The maintenance invoices showed the\ncorresponding SSA problem management (PM) number and enough information about\nthe specific work performed to confirm whether the appropriate amounts were billed\nand paid.\n\nAccording to Federal Acquisition Regulation (FAR), 8 contract payment will be based on\nreceipt of a proper invoice and satisfactory contract performance. Invoices should\ninclude the description, quantity, unit of measure, unit price, and extended price of\nsupplies delivered or services performed. SSA should ensure that invoices submitted\n\n                                  TRANSACTION TEST RESULTS\n                  Type                   Total      Task Order       Relocation     Maintenance\nNumber of transactions reviewed           340           100             100                140\n     Paid according to agreed upon\n                                          274            63              76                135\n                  prices\n    Not paid according to agreed upon\n                                          10             2                7                1\n                  prices\n           Not billed/Not paid             4              -               -                4\n    Not enough support provided with\n       invoice to determine if paid       49             32              17                 -\n     according to agreed upon prices\n    Paid in excess of certified amount     3             3                -                 -\n\n\n8\n FAR 52.212-4 \xe2\x80\x93 Contract Terms and Conditions - Commercial Items and FAR 32.905 \xe2\x80\x93 Prompt\nPayment: Payment documentation and process.\n\x0cPage 6 - The Commissioner\n\nby the vendor are properly supported to make certain a sufficient review can be made\nbefore certification and payments occur. Based on our recommendation, the Agency\ncontacted Diebold-ISS representatives who informed the Agency that it is now taking\nsteps to improve the support provided with invoices. Additionally, we recommend the\nAgency resolve the incorrectly billed payments made to Diebold-ISS. SSA contract\nmanagers contacted Diebold-ISS representatives and are now working with Diebold-\nISS to resolve any incorrectly billed amounts.\n\nINFORMATION IS NOT RECORDED IN THE ACCOUNTING SYSTEM TO\nDISTINGUISH PAYMENTS MADE AGAINST SPECIFIC ORDER NUMBERS\n\nThe accounting system did not contain enough detailed information about the\nDiebold-ISS task and relocation invoices paid to easily query the system to locate\nactions related to a specific order number. For example, there was not enough\ninformation in the accounting system to easily determine whether three of the invoices\nwe reviewed, which were paid in excess of the certified amounts, had already been\nrecovered by the Agency. Without the specific invoice number, it is difficult to retrieve\nthe payment information and activity concerning a particular relocation or task order\ntransaction on the Diebold-ISS contract. When SSA payment processing staff\nmembers contacted Diebold-ISS in November 2006 to report the three payments made\nin excess of the certified amounts, they were informed that SSA had already recovered\nthe funds by reducing the amount paid on another invoice in December 2005.\nTransactions should be promptly recorded, properly classified and accounted for to\nprepare timely accounts and reliable financial and other types of reports. The\ndocumentation for transactions, management controls, and other significant events\nmust be clear and readily available for examination. 9\n\nDuring the first few contract years, relocation and task order numbers were recorded in\nthe description field in the financial accounting system when the invoices were paid.\nHowever, the Office of Finance has subsequently discontinued capturing this\ninformation. To allow for more management information concerning the orders against\nthe contract, we recommend recording relocation and task order numbers in the\nfinancial accounting system.\n\nINTERNAL CONTROL WEAKNESS EXISTS IN CONTRACT OVERSIGHT\n\nThe Diebold-ISS contract does not indicate that an alternate project officer is assigned.\nAs a result, no one is officially designated in the contract as a back-up to represent the\nproject officer in the technical phases of the contract. Also, allowing a single individual\nto manage a contract with no alternate available places too much control in the hands\nof a single individual with insufficient oversight of the project officer\xe2\x80\x99s role. SSA\xe2\x80\x99s\npractice is to assign a project officer and an alternate project officer to every contract. 10\n9\n    Office of Management and Budget Circular A-123, II. Establishing Management Controls.\n10\n  Material Resources Manual Chapter 06, Instruction Number 05: Technical Support for Acquisitions \xe2\x80\x93\nThe Role of the Project Officer.\n\x0cPage 7 - The Commissioner\n\nAccording to the Diebold-ISS contracting officer, the project officer did not want an\nalternate assigned. However, an alternate project officer would improve checks and\nbalances in contract oversight. Additionally, by being available to help manage and\nresolve contract issues, the alternate would provide an independent view of the contract\nactivities. Therefore, to support best practices and improve internal controls, we\nrecommend that the program office designate an alternate project officer in the\ncontract.\n\nCONTRACTOR REPORTS ON THE DESTRUCTION OF HARD DRIVES WERE NOT\nMADE AS REQUIRED\n\nThe contractor did not issue required monthly reports to SSA about hard drive\ndestruction until sometime in 2006, after we requested them for review during our audit\nfield work. Without the reports, the Agency did not have formal documentation to\nmonitor whether the hard drives were wiped per SSA standards and to identify the\ndisposition of the equipment. The contract was modified in August 2004 to require\nDiebold-ISS to document and issue monthly certification reports to the Agency on hard\ndrive replacements and disposition. According to the contract modification, the report\nshould include a statement describing the method or methods used for destruction of\nthe replaced hard drive(s). The contractor shall also provide on each report the SSA\nPM number, contractor case number, drive model and serial number, and the date\ndestroyed.\n\nSSA did not have formal ongoing hard drive destruction verification process for the hard\ndrives disposed of by Diebold-ISS. However, in March 2006, the project officer\nreceived the results of an independent contractor\xe2\x80\x99s review which found that two hard\ndrives destroyed by Diebold-ISS were effectively wiped clean of data. Additionally, in\nMay 2006 the project officer performed an in-house test of several hard drives and\nfound Diebold-ISS had properly wiped or destroyed data from the hard drives.\n\nIn discussions with the vendor, we learned that not all SSA hard drives were destroyed\nusing the same methodology. The contractor informed auditors that its staff\ndocumented the destruction of the hard drives but failed to make the monthly reports to\nSSA. Based on our review of hard drive destruction reports for August, September and\nOctober 2006, the contractor has taken steps to report the required monthly\ninformation.\n\nWe recommend SSA ensure that future hard drive destruction reports are made timely\nand include the required information. We also recommend SSA ensure it receives\nreports for all equipment replaced and destroyed by Diebold-ISS since August 2004\nwith the required information concerning disposition. This will help ensure an\nappropriately documented chain of custody of the SSA equipment. Finally, we\nrecommend SSA continue to periodically ask for a sample of replaced hard drives to\ntest to determine whether Diebold-ISS erased or otherwise destroyed all data on the\nunits as required.\n\x0cPage 8 - The Commissioner\n\nCONCLUSION AND RECOMMENDATIONS\nSSA generally has adequate controls in place for the administration, oversight and\naccountability of its contract for information technology maintenance and LAN\nrelocation. However, there are areas of contract management that need to be\nimproved. A number of Diebold-ISS staff did not have suitability approval to perform\nunder the contract. Additionally, the support Diebold-ISS provides with invoices should\nbe improved to ensure enough information is available to confirm whether services\nwere billed according to agreed-upon prices detailed in the contract. Finally, several\nweaknesses in controls over contract oversight and information recording need to be\naddressed.\n\nWe recommend SSA:\n\n   1. Strengthen internal controls to ensure that contractor personnel performing\n      under contracts have obtained the appropriate suitability determinations.\n\n   2. Continue to work with Diebold-ISS to improve the support provided with invoices\n      for task and relocation orders.\n\n   3. Resolve the incorrectly billed payments made to Diebold-ISS, as appropriate.\n\n   4. Assess the feasibility of recording relocation and task order numbers in the\n      Agency\xe2\x80\x99s financial accounting system.\n\n   5. Designate an alternate project officer in the Diebold-ISS contract.\n\n   6. Ensure future hard drive destruction reports are made timely and include the\n      required information.\n\n   7. In cases where incomplete hard drive destruction reports were provided to SSA\n      after August 2004, request that Diebold-ISS provide updated reports where\n      necessary.\n\n   8. Continue to periodically ask for a sample of replaced hard drives to test to\n      determine whether Diebold-ISS erased or otherwise destroyed all data on the\n      units as required.\n\x0cPage 9 - The Commissioner\n\nAGENCY COMMENTS\nSSA agreed with our recommendations (see Appendix C).\n\n\n\n\n                                           Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                    Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope, Methodology and Test Results\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                             Appendix A\n\nAcronyms\nDiebold-ISS   Diebold Information and Security Systems LLC\nFAR           Federal Acquisition Regulation\nHSPD-12       Homeland Security Presidential Directive -12\nLAN           Local Area Network\nOAG           Office of Acquisition and Grants\nOIG           Office of the Inspector General\nOTSO          Office of Telecommunications and Systems Operations\nPM            Problem Management\nSSA           Social Security Administration\nSSN           Social Security Number\nTFE           TFE Technology Holdings LLC\n\x0c                                                                               Appendix B\n\nScope, Methodology and Test Results\nWe conducted our audit field work between June and November 2006 in\nBaltimore, Maryland.\nThe principal entities audited were the Social Security Administration\xe2\x80\x99s (SSA):\n    \xe2\x80\xa2   Office of Acquisition and Grants, the contracting office; and\n\n    \xe2\x80\xa2   Office of Telecommunications and Systems Operations, the program office.\nWe also reviewed records and interviewed staff in the Agency\xe2\x80\x99s:\n    \xe2\x80\xa2   Deputy Commissioner for Budget, Finance and Management (DCBFM), Office of\n        Finance; and\n\n    \xe2\x80\xa2   DCBFM, Office of Personnel, Center for Personnel Security and Project\n        Management.\nWe conducted our audit in accordance with generally accepted government auditing\nstandards. To meet our objective, we:\n    \xe2\x80\xa2   reviewed applicable Federal laws and regulations and applicable SSA policies\n        and procedures;\n\n    \xe2\x80\xa2   reviewed the contract for Information Technology Maintenance and Local Area\n        Network Relocation, number 0600-02-60007;\n\n    \xe2\x80\xa2   interviewed Agency and Diebold Information and Security Systems LLC\n        (Diebold-ISS) staff;\n\n    \xe2\x80\xa2   reviewed and observed Agency contract management processes;\n\n    \xe2\x80\xa2   tested task order, relocation and maintenance transactions in September and\n        October 2006;\n\n    \xe2\x80\xa2   reviewed Agency contractor suitability records; and\n\n    \xe2\x80\xa2   reviewed documentation from four Agency relocations which took place in\n        October and November 2006 1 to determine if Diebold-ISS staff were approved\n        suitable to work on-site at an SSA facility or have access to Agency\n        programmatic or sensitive information.\n\n\n\n1\n We reviewed documentation from relocations at SSA offices in Tampa-Carrollwood, Florida, October\n2006; Ann Arbor, Michigan, October - November 2006; Freeport, New York, November 2006; and\nPomona, California, November 2006.\n\n\n                                                B-1\n\x0c          Table 1: Diebold-ISS Contract Statistical Sampling Information\n\n                                                                          Maintenance\n                                                          Relocation\n                                        Task Orders                         Service\n                                                          Requests\n                                         (Excludes                         Requests\n        Description        Totals                         (Excludes\n                                         Cancelled                         (Excludes\n                                                          Cancelled\n                                          Orders)                          Cancelled\n                                                           Orders)\n                                                                            Orders)\n      Universe Count       83,616           603              433             82,580\n\n       Sample Items          340            100              100              140\n\n      Sample Dollars    $ 2,726,132      $ 459,992        $ 2,170,083       $ 96,057\n\n\nFurther, we determined that the Agency's computerized data used to record relocation\norders, task orders and maintenance calls made to the vendor and the suitability\nrecords pertaining to Diebold-ISS staff were sufficiently reliable given the audit objective\nand intended use of the data and should not lead to incorrect or unintentional\nconclusions.\n\nTesting Methodology and Results\nFor testing, we selected a sample of task order, relocation and maintenance requests\nfor Diebold-ISS services made by SSA during the first 4 contract years. We reviewed\n340 transactions totaling $2.7 million from the sampling universe reflected in Table 1.\nThe total universe was 83,616 transactions.\nFirst, we selected 120 transactions, consisting of the 5 largest and 5 smallest dollar\ntransactions for each of the first 4 contract years, for each of the 3 service types (task\norder, relocation and maintenance).\nSecond, we randomly selected 220 transactions through a statistical sampling\nmethodology by contract year and type, as follows:\n   1. Task Orders: 15 transactions per contract year,\n   2. Relocation Orders: 15 transactions per contract year, and\n   3. Maintenance: 25 transactions per contract year.\n\n\n\n\n                                            B-2\n\x0cTesting results are reflected in tables 2 through 4, which follow.\n\nTable 2: Diebold-ISS Contract Testing Review Results \xe2\x80\x93 Review of 100 Task Order\n                                  Transactions\n                                                Total         YR 1      YR 2        YR 3        YR 4\n             TASK ORDER\n                                                100           25         25           25         25\n  Paid according to agreed upon\n                                                 63            10        16           17         20\n               prices\nNot paid according to agreed upon\n                                                  2            -         12           13          -\n               prices\nNot enough support provided with\n    invoice to determine if paid                 32            15         8           4           5\n according to agreed upon prices\nPaid in excess of certified amount                3            -          -           34          -\nPaid Invoice Certified by Program\n                                                100           25         25           25         25\n              Office\n  Paid transactions recorded in\n                                                100           25         25           25         25\n       accounting system\n\nThe attributes we considered to evaluate whether the test transactions were processed\ncorrectly were:\n\n      1. For the service rendered, was the amount billed and paid in accordance with the\n                                                      5\n         agreed upon prices detailed in the contract;\n      2. Was the paid invoice certified by the program office; and\n      3. Was a corresponding payment recorded in the accounting system.\n\n\n\n\n2\n    Contract Year 2 \xe2\x80\x93 TO0345 overbilled $2,990.\n3\n    Contract Year 3 \xe2\x80\x93 TO0399 overbilled $206.\n4\n Contract Year 3 - Three invoices were paid in excess of the certified amount. The overpaid amounts\nwere as follows: TO554 - $12,514.50, TO555 - $20,394.00 and TO556 - $20,857.50. The Office of\nFinance recovered the overpaid amount of $53,766 from Diebold-ISS in December 2005.\n5\n    Contract Addendum B \xe2\x80\x93 Cost Tables.\n\n\n                                                        B-3\n\x0cTable 3: Diebold-ISS Contract Testing Review Results - Review of 100 Relocation\n                                 Transactions\n                                          Total           YR 1           YR 2           YR 3         YR 4\n          RELOCATION\n                                           100               25           25             25          25\n  Paid according to agreed\n                                            76               21           18             22           15\n         upon prices\nNot paid according to agreed                                                  6              7\n                                            7                -            6              1            -\n         upon prices\n     Not enough support\n   provided with invoice to\n                                            17               4             1              2          10\n determine if paid according\n    to agreed upon prices\n                                                                                                 8\n                                                                                         24\n     Paid invoice certified by                                                        certified/\n                                            99               25           25                         25\n         program office                                                                 (1 not\n                                                                                      located)\n\nPaid transactions recorded in\n                                           100               25           25             25           25\n     accounting system\n\n\n\n\n6\n Contract Year 2 \xe2\x80\x93 RL0237 \xe2\x80\x93 Underbilled $7,638.48; RL0101 \xe2\x80\x93 Underbilled $99; RL0103 \xe2\x80\x93 Underbilled\n$24; RL0176 \xe2\x80\x93 Overbilled $2,472; RL00217 \xe2\x80\x93 Overbilled $2,472; RL0255 \xe2\x80\x93 Overbilled $457.\n7\n    Contract Year 3 \xe2\x80\x93 RL0444 \xe2\x80\x93 Overbilled $343.\n8\n    Unable to locate copy of RL0347 in accounting office to determine if certified.\n\n\n                                                       B-4\n\x0c       Table 4: Diebold-ISS Contract Testing Review Results \xe2\x80\x93 Review of 140\n                             Maintenance Transactions\n                                          Total          YR 1          YR 2         YR 3          YR 4\n          MAINTENANCE\n                                           140              35          35            35           35\nPaid according to agreed upon\n                                           135              34          33            33           35\n            prices\n Not paid according to agreed\n                                            1                0           19            0            0\n         upon prices\n              Not billed                    4               1 10        1 11          2 12          0\n      Paid Invoice Certified by\n                                           136              34          34            33           35\n           Program Office\n    Paid transactions recorded in\n                                           136              34          34            33           35\n         accounting system\n\n\n\n\n9\n    Contract Year 2 \xe2\x80\x93 Maintenance Problem Number 283077 - Overbilled $67.20 ($70 minus 4% discount).\n10\n  Contract Year 1 - Project officer is unsure why item was not billed but reported it is likely a duplicate\nand/or cancelled order. CAPRS record for this contract year is archived.\n11\n     Contract Year 2 - Maintenance item fixed by user.\n12\n     Contract Year 3 - One item not covered under contract and the other item fixed by the user.\n\n\n                                                      B-5\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:      April 30, 2007                                                         Refer To:   S1J-3\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      Larry W. Dye /s/\n           Thru: OEO_____________\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cReview of the Social Security\n           Administration\xe2\x80\x99s Information Technology Maintenance and Local Area Network Relocation\n           Contract\xe2\x80\x9d (A-14-07-17022)--INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report content\n           and recommendations are attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                         C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cREVIEW OF THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nINFORMATION TECHNOLOGY MAINTENANCE AND LOCAL AREA NETWORK\nRELOCATION CONTRACT\xe2\x80\x9d (A-14-07-17022)\n\nThank you for the opportunity to review and comment on the draft report. We appreciate your\nconducting this audit of SSA\xe2\x80\x99s information technology maintenance and local area network\nrelocation contract.\n\nRecommendation 1\n\nSSA should strengthen internal controls to ensure that contractor personnel performing under\ncontracts have obtained the appropriate suitability determinations.\n\nComment\n\nWe agree. On April 3, 2007, SSA received a list from Diebold Information and Security Systems\nLLC (Diebold-ISS) with the names of approximately 540 Diebold-ISS employees. As of April 5,\n2007, SSA sent Relocation and Task Order letters to Diebold-ISS that contained the requirements\nset forth in Addendum D-20 of the contract. Addendum D-20 states the contractor and\nsubcontractors are required to submit a copy of their suitability letters to the project officer 10 days\nprior to a Relocation or Task Order activity.\nHowever, one-time visits require a waiver. The waiver consists of all security clearance forms\nwith the exception of fingerprint cards. This waiver is for a one time visit to any SSA building. If\nthe same contractor/subcontractor needs to make another visit to any SSA building in the future,\nthey will have to meet the full requirements of the suitability regulations.\n\nRecommendation 2\n\nSSA should continue to work with Diebold-ISS to improve the support provided with invoices for\ntask and relocation orders.\n\nComment\n\nWe agree. In November 2006, the Agency sent a letter to Diebold-ISS requesting more detailed\nbilling information in support of invoices being submitted for payment. As a result, Diebold-ISS is\nnow providing additional information with its invoices.\n\n\n\n\n                                                 C-2\n\x0cRecommendation 3\n\nSSA should resolve the incorrectly billed payments made to Diebold-ISS, as appropriate.\n\nComment\n\nWe agree. The Agency is reviewing the invoices in question. We note that during the review SSA\ncontract managers contacted Diebold-ISS representatives and are now working with Diebold-ISS to\nresolve any incorrectly billed amounts and to immediately recover any payments made in error.\n\nRecommendation 4\n\nSSA should assess the feasibility of recording relocation and task order numbers in the Agency\xe2\x80\x99s\nfinancial accounting system.\n\nComment\n\nWe agree. The Agency has developed and implemented new procedures to ensure that relocation\nand task order numbers are correctly recorded in the Agency\xe2\x80\x99s financial accounting system. These\nnew procedures were implemented in March 2007 and employees have been informed and trained\non the new procedures.\n\nRecommendation 5\n\nSSA should designate an alternate project officer in the Diebold-ISS contract.\n\nComment\n\nWe agree. The Agency is in the process of modifying the existing contract to add an alternate\nproject officer.\n\nRecommendation 6\n\nSSA should ensure future hard drive destruction reports are made timely and include the required\ninformation.\n\nComment\n\nWe agree. The November 2006 letter sent to Diebold-ISS addressed this recommendation.\nDiebold-ISS is to submit a monthly report on the certification/report of hard drive replacement and\ndisposition. The reports are to be submitted to the project officer timely and should contain all of\nthe information that is outlined in the contract.\n\n\n\n\n                                               C-3\n\x0cRecommendation 7\n\nIn cases where incomplete hard drive destruction reports were provided to SSA after August 2004,\nSSA should request that Diebold-ISS provide updated reports where necessary.\n\nComment\n\nWe agree. In April 2007, Diebold-ISS provided SSA with updated destruction reports.\n\nRecommendation 8\n\nSSA should continue to periodically ask for a sample of replaced hard drives to test to determine\nwhether Diebold-ISS erased or otherwise destroyed all data on the units as required.\n\nComment\n\nWe agree. On March 16, 2007, the Agency requested that Diebold-ISS send at least 2 hard drives\nthat have been destroyed for our inspection. Since then, we have received 2 hard drives that were\ndegaussed. Also, On March 27, 2007 Task Order number 0797 was issued to send the hard drives\nto a Data Recovery Facility to attempt to recover the data. The Data Recovery Facility will prepare\na report of findings upon completion of the task order.\n\n\n\n\n                                               C-4\n\x0c                                                                     Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technology Audits Division, (410) 965-9702\n\n   Al Darago, Audit Manager, Application Controls Branch, (410) 965-9710\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Deborah Kinsey, Auditor-in-Charge\n\n   Anita McMillan, Senior Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification\nNumber A-14-07-17022.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                         Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure program\nobjectives are achieved effectively and efficiently. Financial audits assess whether SSA\xe2\x80\x99s\nfinancial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash flow.\nPerformance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs and\noperations. OA also conducts short-term management and program evaluations and projects on\nissues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"